Bug 6749

"everything prior to v1.12.1-214-g15b8b62" so mga1 and 2
and "The Red Hat Security Response Team has rated this issue as having low security" so we can drop the critical

CC: (none) => luigiwalser, shlomif
Component: New RPM package request => Security
Version: Cauldron => 2
Source RPM: (none) => automake
Whiteboard: (none) => MGA1TOO
Severity: critical => normal

Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2?

(In reply to comment #2)
> Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2?

No, we should just patch for this.  There is a patch attached to the RedHat bug, as well as links to GIT commits in the 1.11 and 1.12 branches to fix this.

I think upgrading automake versions can cause buildability issues in existing packages, so I wouldn't advise it.

OK, I've pushed automake-1.11.3-1.1.mga2 to Mageia 2 core/updates_testing with the patch. Please test.

Thanks.  Could you build an update for Mageia 1 as well?

OK I uploaded automake-1.11.1-3.1.mga1 to Mageia 1 core/updates_testing.

Advisory:
========================

Updated automake package fixes security vulnerability:

Before 1.12.2, the recipe of the 'distcheck' target granted temporary
world-write permissions on the extracted distdir.  This introduced
a locally exploitable race condition for those who run "make distcheck"
with a non-restrictive umask (e.g., 022) in a directory that was
accessible by others.  A successful exploit would result in arbitrary
code execution with the privileges of the user running "make distcheck"
(CVE-2012-3386).

It is important to stress that this vulnerability impacts not only
the Automake package itself, but all packages with Automake-generated
makefiles.  For an effective fix it is necessary to regenerate the
Makefile.in files with a fixed Automake version.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
https://bugzilla.redhat.com/show_bug.cgi?id=838286
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
========================

Updated packages in core/updates_testing:
========================
automake-1.11.1-3.1.mga1
automake-1.11.3-1.1.mga2

from SRPMS:
automake-1.11.1-3.1.mga1.src.rpm
automake-1.11.3-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Mandriva has issued an advisory for this today (July 12):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103

We could use their text for the CVE description since I couldn't find a good one yesterday.

A race condition in automake (lib/am/distdir.am) could allow a local
attacker to run arbitrary code with the privileges of the user running
make distcheck (CVE-2012-3386).

I just took a closer look at Mandriva's work...we also need to patch automake1.7 and possibly automake1.4.  Oops :o(

OK, automake1.7 updates are patched for Cauldron, Mageia 2, and Mageia 1.

automake1.4 code is totally different, but it had the same vulnerability.
It was already previously fixed and was called CVE-2009-4029.

Also for QA, I found the PoC for this, it's right in the patch (at the bottom)!
http://svnweb.mageia.org/packages/updates/2/automake/current/SOURCES/automake-distcheck.diff?revision=269551&view=markup

Advisory:
========================

Updated automake package fixes security vulnerability:

A race condition in automake (lib/am/distdir.am) could allow a local
attacker to run arbitrary code with the privileges of the user running
make distcheck (CVE-2012-3386).

Please note that this vulnerability impacts not only the Automake package
itself, but all packages with Automake-generated makefiles.  For an
effective fix it is necessary to regenerate the Makefile.in files with a
fixed Automake version.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
https://bugzilla.redhat.com/show_bug.cgi?id=838286
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103
========================

Updated packages in core/updates_testing:
========================
automake-1.11.1-3.1.mga1
automake1.7-1.7.9-13.1.mga1
automake-1.11.3-1.1.mga2
automake1.7-1.7.9-13.1.mga2

from SRPMS:
automake-1.11.1-3.1.mga1.src.rpm
automake1.7-1.7.9-13.1.mga1.src.rpm
automake-1.11.3-1.1.mga2.src.rpm
automake1.7-1.7.9-13.1.mga2.src.rpm

OK, we have advisories and updated packages, what should we do to get this bug closed?

(In reply to comment #11)
> OK, we have advisories and updated packages, what should we do to get this bug
> closed?

They need to be tested (by someone other than you and I since we packaged them) to verify that they work OK.  Given that it's a development tool, it'd probably be good to recruit some packagers to test them.

Testing Mageia 1 32 bits complete. I rebuilt the referencer and hplip packages. The first one uses autoreconf and the second one automake in the spec file. Build went fine.

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK

Testing Mageia 1 64 bits complete.

Whiteboard: MGA1TOO MGA1-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK

Tested Mageia 2 x86_64 builds of both referencer and hplip packages first without and then with the update candidate of automake package, there were no differences in the build logs that I could detect and all builds completed correctly.

CC: (none) => zen25000

Thanks barry. Now we just need testing on Mageia 2 i586 and the update will go.

Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-64-OK

Testing complete on Mageia 2 i586.

Update validated. No linking required. Thanks!

See comment #10 for advisory and packages.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-64-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-64-OK MGA2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0193

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED